Add a New User Activity Rule

Learn how to create a new user activity rule to monitor user and administrator activity.
User activity rules enable
activity logging
and
activity alerting
. You can track user activities that compromise your organization. You can create a rule that sends email alerts or creates an activity monitoring log entry when a user downloads a large number of reports, or when a user tries to access a SaaS application from a malicious IP address. There are numerous other examples that warrant activity monitoring.
  1. Add a new rule.
    1. Select
      Policy
      User Activity Rules
      New Rule
      .
  2. Define the basic settings.
    1. Enter a
      Name
      for the rule.
    2. (
      Optional
      ) Enter a
      Description
      for the rule.
    3. Specify a
      Severity
      for the rule ranging from 1 to 5, with 5 representing the highest risk type of incident.
  3. Specify the
    Items to Detect
    .
    1. Select one of the following:
      • Users
        —Applies the policy rule to users.
      • Assets
        —Applies the policy rule to assets such as files or folders.
    2. (
      Optional
      )
      Manage Exceptions
      for the rule. Enter the users or assets you want to exclude from the rule. For example, you might want to exclude SaaS Security API administrators from user activity monitoring.
  4. Specify the match criteria for the activity.
  5. Verify that an action is enabled.
    Choices include:
    • Log Only
      (default)—For
      activity logging
      purposes, log the policy violation.
    • Send admin alert
      —For
      activity alerting
      purposes, send an email for policy violations that require immediate action. SaaS Security API can send up to five emails per hour on matches against each policy rule.
  6. Verify that the policy rule is enabled.
    In
    Basics
    , verify that the
    Status
    is
    Enabled
    . A rule can be in the enabled or disabled state. After you add a new rule, you must enable the rule.
  7. Save your new policy rule.
    Save
    your changes.
    SaaS Security API starts scanning files against the policy rule as soon as you save the changes. After the scan starts, you can start View Policy Violations for User Activity.

Recommended For You